1/* $OpenBSD: sshconnect2.c,v 1.188 2011/05/24 07:15:47 djm Exp $ */
2/*
3 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
4 * Copyright (c) 2008 Damien Miller.  All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 *    notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in the
13 *    documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include "includes.h"
28
29#include <sys/types.h>
30#include <sys/socket.h>
31#include <sys/wait.h>
32#include <sys/stat.h>
33
34#include <errno.h>
35#include <fcntl.h>
36#include <netdb.h>
37#include <pwd.h>
38#include <signal.h>
39#include <stdarg.h>
40#include <stdio.h>
41#include <string.h>
42#include <unistd.h>
43#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
44#include <vis.h>
45#endif
46
47#include "openbsd-compat/sys-queue.h"
48
49#include "xmalloc.h"
50#include "ssh.h"
51#include "ssh2.h"
52#include "buffer.h"
53#include "packet.h"
54#include "compat.h"
55#include "cipher.h"
56#include "key.h"
57#include "kex.h"
58#include "myproposal.h"
59#include "sshconnect.h"
60#include "authfile.h"
61#include "dh.h"
62#include "authfd.h"
63#include "log.h"
64#include "readconf.h"
65#include "misc.h"
66#include "match.h"
67#include "dispatch.h"
68#include "canohost.h"
69#include "msg.h"
70#include "pathnames.h"
71#include "uidswap.h"
72#include "hostfile.h"
73#include "schnorr.h"
74#include "jpake.h"
75
76#ifdef GSSAPI
77#include "ssh-gss.h"
78#endif
79
80/* import */
81extern char *client_version_string;
82extern char *server_version_string;
83extern Options options;
84
85/*
86 * SSH2 key exchange
87 */
88
89u_char *session_id2 = NULL;
90u_int session_id2_len = 0;
91
92char *xxx_host;
93struct sockaddr *xxx_hostaddr;
94
95Kex *xxx_kex = NULL;
96
97static int
98verify_host_key_callback(Key *hostkey)
99{
100	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1)
101		fatal("Host key verification failed.");
102	return 0;
103}
104
105static char *
106order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
107{
108	char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
109	size_t maxlen;
110	struct hostkeys *hostkeys;
111	int ktype;
112	u_int i;
113
114	/* Find all hostkeys for this hostname */
115	get_hostfile_hostname_ipaddr(host, hostaddr, port, &hostname, NULL);
116	hostkeys = init_hostkeys();
117	for (i = 0; i < options.num_user_hostfiles; i++)
118		load_hostkeys(hostkeys, hostname, options.user_hostfiles[i]);
119	for (i = 0; i < options.num_system_hostfiles; i++)
120		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
121
122	oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
123	maxlen = strlen(avail) + 1;
124	first = xmalloc(maxlen);
125	last = xmalloc(maxlen);
126	*first = *last = '\0';
127
128#define ALG_APPEND(to, from) \
129	do { \
130		if (*to != '\0') \
131			strlcat(to, ",", maxlen); \
132		strlcat(to, from, maxlen); \
133	} while (0)
134
135	while ((alg = strsep(&avail, ",")) && *alg != '\0') {
136		if ((ktype = key_type_from_name(alg)) == KEY_UNSPEC)
137			fatal("%s: unknown alg %s", __func__, alg);
138		if (lookup_key_in_hostkeys_by_type(hostkeys,
139		    key_type_plain(ktype), NULL))
140			ALG_APPEND(first, alg);
141		else
142			ALG_APPEND(last, alg);
143	}
144#undef ALG_APPEND
145	xasprintf(&ret, "%s%s%s", first, *first == '\0' ? "" : ",", last);
146	if (*first != '\0')
147		debug3("%s: prefer hostkeyalgs: %s", __func__, first);
148
149	xfree(first);
150	xfree(last);
151	xfree(hostname);
152	xfree(oavail);
153	free_hostkeys(hostkeys);
154
155	return ret;
156}
157
158void
159ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
160{
161	Kex *kex;
162
163	xxx_host = host;
164	xxx_hostaddr = hostaddr;
165
166	if (options.ciphers == (char *)-1) {
167		logit("No valid ciphers for protocol version 2 given, using defaults.");
168		options.ciphers = NULL;
169	}
170	if (options.ciphers != NULL) {
171		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
172		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
173	}
174	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
175	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
176	myproposal[PROPOSAL_ENC_ALGS_STOC] =
177	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
178	if (options.compression) {
179		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
180		myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none";
181	} else {
182		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
183		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib";
184	}
185	if (options.macs != NULL) {
186		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
187		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
188	}
189	if (options.hostkeyalgorithms != NULL)
190		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
191		    options.hostkeyalgorithms;
192	else {
193		/* Prefer algorithms that we already have keys for */
194		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
195		    order_hostkeyalgs(host, hostaddr, port);
196	}
197	if (options.kex_algorithms != NULL)
198		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
199
200	if (options.rekey_limit)
201		packet_set_rekey_limit((u_int32_t)options.rekey_limit);
202
203	/* start key exchange */
204	kex = kex_setup(myproposal);
205	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
206	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
207	kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
208	kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
209	kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
210	kex->client_version_string=client_version_string;
211	kex->server_version_string=server_version_string;
212	kex->verify_host_key=&verify_host_key_callback;
213
214	xxx_kex = kex;
215
216	dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
217
218	if (options.use_roaming && !kex->roaming) {
219		debug("Roaming not allowed by server");
220		options.use_roaming = 0;
221	}
222
223	session_id2 = kex->session_id;
224	session_id2_len = kex->session_id_len;
225
226#ifdef DEBUG_KEXDH
227	/* send 1st encrypted/maced/compressed message */
228	packet_start(SSH2_MSG_IGNORE);
229	packet_put_cstring("markus");
230	packet_send();
231	packet_write_wait();
232#endif
233}
234
235/*
236 * Authenticate user
237 */
238
239typedef struct Authctxt Authctxt;
240typedef struct Authmethod Authmethod;
241typedef struct identity Identity;
242typedef struct idlist Idlist;
243
244struct identity {
245	TAILQ_ENTRY(identity) next;
246	AuthenticationConnection *ac;	/* set if agent supports key */
247	Key	*key;			/* public/private key */
248	char	*filename;		/* comment for agent-only keys */
249	int	tried;
250	int	isprivate;		/* key points to the private key */
251};
252TAILQ_HEAD(idlist, identity);
253
254struct Authctxt {
255	const char *server_user;
256	const char *local_user;
257	const char *host;
258	const char *service;
259	Authmethod *method;
260	sig_atomic_t success;
261	char *authlist;
262	/* pubkey */
263	Idlist keys;
264	AuthenticationConnection *agent;
265	/* hostbased */
266	Sensitive *sensitive;
267	/* kbd-interactive */
268	int info_req_seen;
269	/* generic */
270	void *methoddata;
271};
272struct Authmethod {
273	char	*name;		/* string to compare against server's list */
274	int	(*userauth)(Authctxt *authctxt);
275	void	(*cleanup)(Authctxt *authctxt);
276	int	*enabled;	/* flag in option struct that enables method */
277	int	*batch_flag;	/* flag in option struct that disables method */
278};
279
280void	input_userauth_success(int, u_int32_t, void *);
281void	input_userauth_success_unexpected(int, u_int32_t, void *);
282void	input_userauth_failure(int, u_int32_t, void *);
283void	input_userauth_banner(int, u_int32_t, void *);
284void	input_userauth_error(int, u_int32_t, void *);
285void	input_userauth_info_req(int, u_int32_t, void *);
286void	input_userauth_pk_ok(int, u_int32_t, void *);
287void	input_userauth_passwd_changereq(int, u_int32_t, void *);
288void	input_userauth_jpake_server_step1(int, u_int32_t, void *);
289void	input_userauth_jpake_server_step2(int, u_int32_t, void *);
290void	input_userauth_jpake_server_confirm(int, u_int32_t, void *);
291
292int	userauth_none(Authctxt *);
293int	userauth_pubkey(Authctxt *);
294int	userauth_passwd(Authctxt *);
295int	userauth_kbdint(Authctxt *);
296int	userauth_hostbased(Authctxt *);
297int	userauth_jpake(Authctxt *);
298
299void	userauth_jpake_cleanup(Authctxt *);
300
301#ifdef GSSAPI
302int	userauth_gssapi(Authctxt *authctxt);
303void	input_gssapi_response(int type, u_int32_t, void *);
304void	input_gssapi_token(int type, u_int32_t, void *);
305void	input_gssapi_hash(int type, u_int32_t, void *);
306void	input_gssapi_error(int, u_int32_t, void *);
307void	input_gssapi_errtok(int, u_int32_t, void *);
308#endif
309
310void	userauth(Authctxt *, char *);
311
312static int sign_and_send_pubkey(Authctxt *, Identity *);
313static void pubkey_prepare(Authctxt *);
314static void pubkey_cleanup(Authctxt *);
315static Key *load_identity_file(char *);
316
317static Authmethod *authmethod_get(char *authlist);
318static Authmethod *authmethod_lookup(const char *name);
319static char *authmethods_get(void);
320
321Authmethod authmethods[] = {
322#ifdef GSSAPI
323	{"gssapi-with-mic",
324		userauth_gssapi,
325		NULL,
326		&options.gss_authentication,
327		NULL},
328#endif
329	{"hostbased",
330		userauth_hostbased,
331		NULL,
332		&options.hostbased_authentication,
333		NULL},
334	{"publickey",
335		userauth_pubkey,
336		NULL,
337		&options.pubkey_authentication,
338		NULL},
339#ifdef JPAKE
340	{"jpake-01@openssh.com",
341		userauth_jpake,
342		userauth_jpake_cleanup,
343		&options.zero_knowledge_password_authentication,
344		&options.batch_mode},
345#endif
346	{"keyboard-interactive",
347		userauth_kbdint,
348		NULL,
349		&options.kbd_interactive_authentication,
350		&options.batch_mode},
351	{"password",
352		userauth_passwd,
353		NULL,
354		&options.password_authentication,
355		&options.batch_mode},
356	{"none",
357		userauth_none,
358		NULL,
359		NULL,
360		NULL},
361	{NULL, NULL, NULL, NULL, NULL}
362};
363
364void
365ssh_userauth2(const char *local_user, const char *server_user, char *host,
366    Sensitive *sensitive)
367{
368	Authctxt authctxt;
369	int type;
370
371	if (options.challenge_response_authentication)
372		options.kbd_interactive_authentication = 1;
373
374	packet_start(SSH2_MSG_SERVICE_REQUEST);
375	packet_put_cstring("ssh-userauth");
376	packet_send();
377	debug("SSH2_MSG_SERVICE_REQUEST sent");
378	packet_write_wait();
379	type = packet_read();
380	if (type != SSH2_MSG_SERVICE_ACCEPT)
381		fatal("Server denied authentication request: %d", type);
382	if (packet_remaining() > 0) {
383		char *reply = packet_get_string(NULL);
384		debug2("service_accept: %s", reply);
385		xfree(reply);
386	} else {
387		debug2("buggy server: service_accept w/o service");
388	}
389	packet_check_eom();
390	debug("SSH2_MSG_SERVICE_ACCEPT received");
391
392	if (options.preferred_authentications == NULL)
393		options.preferred_authentications = authmethods_get();
394
395	/* setup authentication context */
396	memset(&authctxt, 0, sizeof(authctxt));
397	pubkey_prepare(&authctxt);
398	authctxt.server_user = server_user;
399	authctxt.local_user = local_user;
400	authctxt.host = host;
401	authctxt.service = "ssh-connection";		/* service name */
402	authctxt.success = 0;
403	authctxt.method = authmethod_lookup("none");
404	authctxt.authlist = NULL;
405	authctxt.methoddata = NULL;
406	authctxt.sensitive = sensitive;
407	authctxt.info_req_seen = 0;
408	if (authctxt.method == NULL)
409		fatal("ssh_userauth2: internal error: cannot send userauth none request");
410
411	/* initial userauth request */
412	userauth_none(&authctxt);
413
414	dispatch_init(&input_userauth_error);
415	dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
416	dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure);
417	dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);
418	dispatch_run(DISPATCH_BLOCK, &authctxt.success, &authctxt);	/* loop until success */
419
420	pubkey_cleanup(&authctxt);
421	dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
422
423	debug("Authentication succeeded (%s).", authctxt.method->name);
424}
425
426void
427userauth(Authctxt *authctxt, char *authlist)
428{
429	if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
430		authctxt->method->cleanup(authctxt);
431
432	if (authctxt->methoddata) {
433		xfree(authctxt->methoddata);
434		authctxt->methoddata = NULL;
435	}
436	if (authlist == NULL) {
437		authlist = authctxt->authlist;
438	} else {
439		if (authctxt->authlist)
440			xfree(authctxt->authlist);
441		authctxt->authlist = authlist;
442	}
443	for (;;) {
444		Authmethod *method = authmethod_get(authlist);
445		if (method == NULL)
446			fatal("Permission denied (%s).", authlist);
447		authctxt->method = method;
448
449		/* reset the per method handler */
450		dispatch_range(SSH2_MSG_USERAUTH_PER_METHOD_MIN,
451		    SSH2_MSG_USERAUTH_PER_METHOD_MAX, NULL);
452
453		/* and try new method */
454		if (method->userauth(authctxt) != 0) {
455			debug2("we sent a %s packet, wait for reply", method->name);
456			break;
457		} else {
458			debug2("we did not send a packet, disable method");
459			method->enabled = NULL;
460		}
461	}
462}
463
464/* ARGSUSED */
465void
466input_userauth_error(int type, u_int32_t seq, void *ctxt)
467{
468	fatal("input_userauth_error: bad message during authentication: "
469	    "type %d", type);
470}
471
472/* ARGSUSED */
473void
474input_userauth_banner(int type, u_int32_t seq, void *ctxt)
475{
476	char *msg, *raw, *lang;
477	u_int len;
478
479	debug3("input_userauth_banner");
480	raw = packet_get_string(&len);
481	lang = packet_get_string(NULL);
482	if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
483		if (len > 65536)
484			len = 65536;
485		msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
486		strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
487		fprintf(stderr, "%s", msg);
488		xfree(msg);
489	}
490	xfree(raw);
491	xfree(lang);
492}
493
494/* ARGSUSED */
495void
496input_userauth_success(int type, u_int32_t seq, void *ctxt)
497{
498	Authctxt *authctxt = ctxt;
499
500	if (authctxt == NULL)
501		fatal("input_userauth_success: no authentication context");
502	if (authctxt->authlist) {
503		xfree(authctxt->authlist);
504		authctxt->authlist = NULL;
505	}
506	if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
507		authctxt->method->cleanup(authctxt);
508	if (authctxt->methoddata) {
509		xfree(authctxt->methoddata);
510		authctxt->methoddata = NULL;
511	}
512	authctxt->success = 1;			/* break out */
513}
514
515void
516input_userauth_success_unexpected(int type, u_int32_t seq, void *ctxt)
517{
518	Authctxt *authctxt = ctxt;
519
520	if (authctxt == NULL)
521		fatal("%s: no authentication context", __func__);
522
523	fatal("Unexpected authentication success during %s.",
524	    authctxt->method->name);
525}
526
527/* ARGSUSED */
528void
529input_userauth_failure(int type, u_int32_t seq, void *ctxt)
530{
531	Authctxt *authctxt = ctxt;
532	char *authlist = NULL;
533	int partial;
534
535	if (authctxt == NULL)
536		fatal("input_userauth_failure: no authentication context");
537
538	authlist = packet_get_string(NULL);
539	partial = packet_get_char();
540	packet_check_eom();
541
542	if (partial != 0)
543		logit("Authenticated with partial success.");
544	debug("Authentications that can continue: %s", authlist);
545
546	userauth(authctxt, authlist);
547}
548
549/* ARGSUSED */
550void
551input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
552{
553	Authctxt *authctxt = ctxt;
554	Key *key = NULL;
555	Identity *id = NULL;
556	Buffer b;
557	int pktype, sent = 0;
558	u_int alen, blen;
559	char *pkalg, *fp;
560	u_char *pkblob;
561
562	if (authctxt == NULL)
563		fatal("input_userauth_pk_ok: no authentication context");
564	if (datafellows & SSH_BUG_PKOK) {
565		/* this is similar to SSH_BUG_PKAUTH */
566		debug2("input_userauth_pk_ok: SSH_BUG_PKOK");
567		pkblob = packet_get_string(&blen);
568		buffer_init(&b);
569		buffer_append(&b, pkblob, blen);
570		pkalg = buffer_get_string(&b, &alen);
571		buffer_free(&b);
572	} else {
573		pkalg = packet_get_string(&alen);
574		pkblob = packet_get_string(&blen);
575	}
576	packet_check_eom();
577
578	debug("Server accepts key: pkalg %s blen %u", pkalg, blen);
579
580	if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) {
581		debug("unknown pkalg %s", pkalg);
582		goto done;
583	}
584	if ((key = key_from_blob(pkblob, blen)) == NULL) {
585		debug("no key from blob. pkalg %s", pkalg);
586		goto done;
587	}
588	if (key->type != pktype) {
589		error("input_userauth_pk_ok: type mismatch "
590		    "for decoded key (received %d, expected %d)",
591		    key->type, pktype);
592		goto done;
593	}
594	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
595	debug2("input_userauth_pk_ok: fp %s", fp);
596	xfree(fp);
597
598	/*
599	 * search keys in the reverse order, because last candidate has been
600	 * moved to the end of the queue.  this also avoids confusion by
601	 * duplicate keys
602	 */
603	TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) {
604		if (key_equal(key, id->key)) {
605			sent = sign_and_send_pubkey(authctxt, id);
606			break;
607		}
608	}
609done:
610	if (key != NULL)
611		key_free(key);
612	xfree(pkalg);
613	xfree(pkblob);
614
615	/* try another method if we did not send a packet */
616	if (sent == 0)
617		userauth(authctxt, NULL);
618}
619
620#ifdef GSSAPI
621int
622userauth_gssapi(Authctxt *authctxt)
623{
624	Gssctxt *gssctxt = NULL;
625	static gss_OID_set gss_supported = NULL;
626	static u_int mech = 0;
627	OM_uint32 min;
628	int ok = 0;
629
630	/* Try one GSSAPI method at a time, rather than sending them all at
631	 * once. */
632
633	if (gss_supported == NULL)
634		gss_indicate_mechs(&min, &gss_supported);
635
636	/* Check to see if the mechanism is usable before we offer it */
637	while (mech < gss_supported->count && !ok) {
638		/* My DER encoding requires length<128 */
639		if (gss_supported->elements[mech].length < 128 &&
640		    ssh_gssapi_check_mechanism(&gssctxt,
641		    &gss_supported->elements[mech], authctxt->host)) {
642			ok = 1; /* Mechanism works */
643		} else {
644			mech++;
645		}
646	}
647
648	if (!ok)
649		return 0;
650
651	authctxt->methoddata=(void *)gssctxt;
652
653	packet_start(SSH2_MSG_USERAUTH_REQUEST);
654	packet_put_cstring(authctxt->server_user);
655	packet_put_cstring(authctxt->service);
656	packet_put_cstring(authctxt->method->name);
657
658	packet_put_int(1);
659
660	packet_put_int((gss_supported->elements[mech].length) + 2);
661	packet_put_char(SSH_GSS_OIDTYPE);
662	packet_put_char(gss_supported->elements[mech].length);
663	packet_put_raw(gss_supported->elements[mech].elements,
664	    gss_supported->elements[mech].length);
665
666	packet_send();
667
668	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE, &input_gssapi_response);
669	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
670	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERROR, &input_gssapi_error);
671	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
672
673	mech++; /* Move along to next candidate */
674
675	return 1;
676}
677
678static OM_uint32
679process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
680{
681	Authctxt *authctxt = ctxt;
682	Gssctxt *gssctxt = authctxt->methoddata;
683	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
684	gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
685	gss_buffer_desc gssbuf;
686	OM_uint32 status, ms, flags;
687	Buffer b;
688
689	status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
690	    recv_tok, &send_tok, &flags);
691
692	if (send_tok.length > 0) {
693		if (GSS_ERROR(status))
694			packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
695		else
696			packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
697
698		packet_put_string(send_tok.value, send_tok.length);
699		packet_send();
700		gss_release_buffer(&ms, &send_tok);
701	}
702
703	if (status == GSS_S_COMPLETE) {
704		/* send either complete or MIC, depending on mechanism */
705		if (!(flags & GSS_C_INTEG_FLAG)) {
706			packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
707			packet_send();
708		} else {
709			ssh_gssapi_buildmic(&b, authctxt->server_user,
710			    authctxt->service, "gssapi-with-mic");
711
712			gssbuf.value = buffer_ptr(&b);
713			gssbuf.length = buffer_len(&b);
714
715			status = ssh_gssapi_sign(gssctxt, &gssbuf, &mic);
716
717			if (!GSS_ERROR(status)) {
718				packet_start(SSH2_MSG_USERAUTH_GSSAPI_MIC);
719				packet_put_string(mic.value, mic.length);
720
721				packet_send();
722			}
723
724			buffer_free(&b);
725			gss_release_buffer(&ms, &mic);
726		}
727	}
728
729	return status;
730}
731
732/* ARGSUSED */
733void
734input_gssapi_response(int type, u_int32_t plen, void *ctxt)
735{
736	Authctxt *authctxt = ctxt;
737	Gssctxt *gssctxt;
738	int oidlen;
739	char *oidv;
740
741	if (authctxt == NULL)
742		fatal("input_gssapi_response: no authentication context");
743	gssctxt = authctxt->methoddata;
744
745	/* Setup our OID */
746	oidv = packet_get_string(&oidlen);
747
748	if (oidlen <= 2 ||
749	    oidv[0] != SSH_GSS_OIDTYPE ||
750	    oidv[1] != oidlen - 2) {
751		xfree(oidv);
752		debug("Badly encoded mechanism OID received");
753		userauth(authctxt, NULL);
754		return;
755	}
756
757	if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
758		fatal("Server returned different OID than expected");
759
760	packet_check_eom();
761
762	xfree(oidv);
763
764	if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
765		/* Start again with next method on list */
766		debug("Trying to start again");
767		userauth(authctxt, NULL);
768		return;
769	}
770}
771
772/* ARGSUSED */
773void
774input_gssapi_token(int type, u_int32_t plen, void *ctxt)
775{
776	Authctxt *authctxt = ctxt;
777	gss_buffer_desc recv_tok;
778	OM_uint32 status;
779	u_int slen;
780
781	if (authctxt == NULL)
782		fatal("input_gssapi_response: no authentication context");
783
784	recv_tok.value = packet_get_string(&slen);
785	recv_tok.length = slen;	/* safe typecast */
786
787	packet_check_eom();
788
789	status = process_gssapi_token(ctxt, &recv_tok);
790
791	xfree(recv_tok.value);
792
793	if (GSS_ERROR(status)) {
794		/* Start again with the next method in the list */
795		userauth(authctxt, NULL);
796		return;
797	}
798}
799
800/* ARGSUSED */
801void
802input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
803{
804	Authctxt *authctxt = ctxt;
805	Gssctxt *gssctxt;
806	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
807	gss_buffer_desc recv_tok;
808	OM_uint32 status, ms;
809	u_int len;
810
811	if (authctxt == NULL)
812		fatal("input_gssapi_response: no authentication context");
813	gssctxt = authctxt->methoddata;
814
815	recv_tok.value = packet_get_string(&len);
816	recv_tok.length = len;
817
818	packet_check_eom();
819
820	/* Stick it into GSSAPI and see what it says */
821	status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
822	    &recv_tok, &send_tok, NULL);
823
824	xfree(recv_tok.value);
825	gss_release_buffer(&ms, &send_tok);
826
827	/* Server will be returning a failed packet after this one */
828}
829
830/* ARGSUSED */
831void
832input_gssapi_error(int type, u_int32_t plen, void *ctxt)
833{
834	OM_uint32 maj, min;
835	char *msg;
836	char *lang;
837
838	maj=packet_get_int();
839	min=packet_get_int();
840	msg=packet_get_string(NULL);
841	lang=packet_get_string(NULL);
842
843	packet_check_eom();
844
845	debug("Server GSSAPI Error:\n%s", msg);
846	xfree(msg);
847	xfree(lang);
848}
849#endif /* GSSAPI */
850
851int
852userauth_none(Authctxt *authctxt)
853{
854	/* initial userauth request */
855	packet_start(SSH2_MSG_USERAUTH_REQUEST);
856	packet_put_cstring(authctxt->server_user);
857	packet_put_cstring(authctxt->service);
858	packet_put_cstring(authctxt->method->name);
859	packet_send();
860	return 1;
861}
862
863int
864userauth_passwd(Authctxt *authctxt)
865{
866	static int attempt = 0;
867	char prompt[150];
868	char *password;
869	const char *host = options.host_key_alias ?  options.host_key_alias :
870	    authctxt->host;
871
872	if (attempt++ >= options.number_of_password_prompts)
873		return 0;
874
875	if (attempt != 1)
876		error("Permission denied, please try again.");
877
878	snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
879	    authctxt->server_user, host);
880	password = read_passphrase(prompt, 0);
881	packet_start(SSH2_MSG_USERAUTH_REQUEST);
882	packet_put_cstring(authctxt->server_user);
883	packet_put_cstring(authctxt->service);
884	packet_put_cstring(authctxt->method->name);
885	packet_put_char(0);
886	packet_put_cstring(password);
887	memset(password, 0, strlen(password));
888	xfree(password);
889	packet_add_padding(64);
890	packet_send();
891
892	dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
893	    &input_userauth_passwd_changereq);
894
895	return 1;
896}
897
898/*
899 * parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST
900 */
901/* ARGSUSED */
902void
903input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
904{
905	Authctxt *authctxt = ctxt;
906	char *info, *lang, *password = NULL, *retype = NULL;
907	char prompt[150];
908	const char *host = options.host_key_alias ? options.host_key_alias :
909	    authctxt->host;
910
911	debug2("input_userauth_passwd_changereq");
912
913	if (authctxt == NULL)
914		fatal("input_userauth_passwd_changereq: "
915		    "no authentication context");
916
917	info = packet_get_string(NULL);
918	lang = packet_get_string(NULL);
919	if (strlen(info) > 0)
920		logit("%s", info);
921	xfree(info);
922	xfree(lang);
923	packet_start(SSH2_MSG_USERAUTH_REQUEST);
924	packet_put_cstring(authctxt->server_user);
925	packet_put_cstring(authctxt->service);
926	packet_put_cstring(authctxt->method->name);
927	packet_put_char(1);			/* additional info */
928	snprintf(prompt, sizeof(prompt),
929	    "Enter %.30s@%.128s's old password: ",
930	    authctxt->server_user, host);
931	password = read_passphrase(prompt, 0);
932	packet_put_cstring(password);
933	memset(password, 0, strlen(password));
934	xfree(password);
935	password = NULL;
936	while (password == NULL) {
937		snprintf(prompt, sizeof(prompt),
938		    "Enter %.30s@%.128s's new password: ",
939		    authctxt->server_user, host);
940		password = read_passphrase(prompt, RP_ALLOW_EOF);
941		if (password == NULL) {
942			/* bail out */
943			return;
944		}
945		snprintf(prompt, sizeof(prompt),
946		    "Retype %.30s@%.128s's new password: ",
947		    authctxt->server_user, host);
948		retype = read_passphrase(prompt, 0);
949		if (strcmp(password, retype) != 0) {
950			memset(password, 0, strlen(password));
951			xfree(password);
952			logit("Mismatch; try again, EOF to quit.");
953			password = NULL;
954		}
955		memset(retype, 0, strlen(retype));
956		xfree(retype);
957	}
958	packet_put_cstring(password);
959	memset(password, 0, strlen(password));
960	xfree(password);
961	packet_add_padding(64);
962	packet_send();
963
964	dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
965	    &input_userauth_passwd_changereq);
966}
967
968#ifdef JPAKE
969static char *
970pw_encrypt(const char *password, const char *crypt_scheme, const char *salt)
971{
972	/* OpenBSD crypt(3) handles all of these */
973	if (strcmp(crypt_scheme, "crypt") == 0 ||
974	    strcmp(crypt_scheme, "bcrypt") == 0 ||
975	    strcmp(crypt_scheme, "md5crypt") == 0 ||
976	    strcmp(crypt_scheme, "crypt-extended") == 0)
977		return xstrdup(crypt(password, salt));
978	error("%s: unsupported password encryption scheme \"%.100s\"",
979	    __func__, crypt_scheme);
980	return NULL;
981}
982
983static BIGNUM *
984jpake_password_to_secret(Authctxt *authctxt, const char *crypt_scheme,
985    const char *salt)
986{
987	char prompt[256], *password, *crypted;
988	u_char *secret;
989	u_int secret_len;
990	BIGNUM *ret;
991
992	snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password (JPAKE): ",
993	    authctxt->server_user, authctxt->host);
994	password = read_passphrase(prompt, 0);
995
996	if ((crypted = pw_encrypt(password, crypt_scheme, salt)) == NULL) {
997		logit("Disabling %s authentication", authctxt->method->name);
998		authctxt->method->enabled = NULL;
999		/* Continue with an empty password to fail gracefully */
1000		crypted = xstrdup("");
1001	}
1002
1003#ifdef JPAKE_DEBUG
1004	debug3("%s: salt = %s", __func__, salt);
1005	debug3("%s: scheme = %s", __func__, crypt_scheme);
1006	debug3("%s: crypted = %s", __func__, crypted);
1007#endif
1008
1009	if (hash_buffer(crypted, strlen(crypted), EVP_sha256(),
1010	    &secret, &secret_len) != 0)
1011		fatal("%s: hash_buffer", __func__);
1012
1013	bzero(password, strlen(password));
1014	bzero(crypted, strlen(crypted));
1015	xfree(password);
1016	xfree(crypted);
1017
1018	if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL)
1019		fatal("%s: BN_bin2bn (secret)", __func__);
1020	bzero(secret, secret_len);
1021	xfree(secret);
1022
1023	return ret;
1024}
1025
1026/* ARGSUSED */
1027void
1028input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt)
1029{
1030	Authctxt *authctxt = ctxt;
1031	struct jpake_ctx *pctx = authctxt->methoddata;
1032	u_char *x3_proof, *x4_proof, *x2_s_proof;
1033	u_int x3_proof_len, x4_proof_len, x2_s_proof_len;
1034	char *crypt_scheme, *salt;
1035
1036	/* Disable this message */
1037	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1, NULL);
1038
1039	if ((pctx->g_x3 = BN_new()) == NULL ||
1040	    (pctx->g_x4 = BN_new()) == NULL)
1041		fatal("%s: BN_new", __func__);
1042
1043	/* Fetch step 1 values */
1044	crypt_scheme = packet_get_string(NULL);
1045	salt = packet_get_string(NULL);
1046	pctx->server_id = packet_get_string(&pctx->server_id_len);
1047	packet_get_bignum2(pctx->g_x3);
1048	packet_get_bignum2(pctx->g_x4);
1049	x3_proof = packet_get_string(&x3_proof_len);
1050	x4_proof = packet_get_string(&x4_proof_len);
1051	packet_check_eom();
1052
1053	JPAKE_DEBUG_CTX((pctx, "step 1 received in %s", __func__));
1054
1055	/* Obtain password and derive secret */
1056	pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt);
1057	bzero(crypt_scheme, strlen(crypt_scheme));
1058	bzero(salt, strlen(salt));
1059	xfree(crypt_scheme);
1060	xfree(salt);
1061	JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__));
1062
1063	/* Calculate step 2 values */
1064	jpake_step2(pctx->grp, pctx->s, pctx->g_x1,
1065	    pctx->g_x3, pctx->g_x4, pctx->x2,
1066	    pctx->server_id, pctx->server_id_len,
1067	    pctx->client_id, pctx->client_id_len,
1068	    x3_proof, x3_proof_len,
1069	    x4_proof, x4_proof_len,
1070	    &pctx->a,
1071	    &x2_s_proof, &x2_s_proof_len);
1072
1073	bzero(x3_proof, x3_proof_len);
1074	bzero(x4_proof, x4_proof_len);
1075	xfree(x3_proof);
1076	xfree(x4_proof);
1077
1078	JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
1079
1080	/* Send values for step 2 */
1081	packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2);
1082	packet_put_bignum2(pctx->a);
1083	packet_put_string(x2_s_proof, x2_s_proof_len);
1084	packet_send();
1085
1086	bzero(x2_s_proof, x2_s_proof_len);
1087	xfree(x2_s_proof);
1088
1089	/* Expect step 2 packet from peer */
1090	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2,
1091	    input_userauth_jpake_server_step2);
1092}
1093
1094/* ARGSUSED */
1095void
1096input_userauth_jpake_server_step2(int type, u_int32_t seq, void *ctxt)
1097{
1098	Authctxt *authctxt = ctxt;
1099	struct jpake_ctx *pctx = authctxt->methoddata;
1100	u_char *x4_s_proof;
1101	u_int x4_s_proof_len;
1102
1103	/* Disable this message */
1104	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2, NULL);
1105
1106	if ((pctx->b = BN_new()) == NULL)
1107		fatal("%s: BN_new", __func__);
1108
1109	/* Fetch step 2 values */
1110	packet_get_bignum2(pctx->b);
1111	x4_s_proof = packet_get_string(&x4_s_proof_len);
1112	packet_check_eom();
1113
1114	JPAKE_DEBUG_CTX((pctx, "step 2 received in %s", __func__));
1115
1116	/* Derive shared key and calculate confirmation hash */
1117	jpake_key_confirm(pctx->grp, pctx->s, pctx->b,
1118	    pctx->x2, pctx->g_x1, pctx->g_x2, pctx->g_x3, pctx->g_x4,
1119	    pctx->client_id, pctx->client_id_len,
1120	    pctx->server_id, pctx->server_id_len,
1121	    session_id2, session_id2_len,
1122	    x4_s_proof, x4_s_proof_len,
1123	    &pctx->k,
1124	    &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len);
1125
1126	bzero(x4_s_proof, x4_s_proof_len);
1127	xfree(x4_s_proof);
1128
1129	JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
1130
1131	/* Send key confirmation proof */
1132	packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM);
1133	packet_put_string(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
1134	packet_send();
1135
1136	/* Expect confirmation from peer */
1137	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM,
1138	    input_userauth_jpake_server_confirm);
1139}
1140
1141/* ARGSUSED */
1142void
1143input_userauth_jpake_server_confirm(int type, u_int32_t seq, void *ctxt)
1144{
1145	Authctxt *authctxt = ctxt;
1146	struct jpake_ctx *pctx = authctxt->methoddata;
1147
1148	/* Disable this message */
1149	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM, NULL);
1150
1151	pctx->h_k_sid_sessid = packet_get_string(&pctx->h_k_sid_sessid_len);
1152	packet_check_eom();
1153
1154	JPAKE_DEBUG_CTX((pctx, "confirm received in %s", __func__));
1155
1156	/* Verify expected confirmation hash */
1157	if (jpake_check_confirm(pctx->k,
1158	    pctx->server_id, pctx->server_id_len,
1159	    session_id2, session_id2_len,
1160	    pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len) == 1)
1161		debug("%s: %s success", __func__, authctxt->method->name);
1162	else {
1163		debug("%s: confirmation mismatch", __func__);
1164		/* XXX stash this so if auth succeeds then we can warn/kill */
1165	}
1166
1167	userauth_jpake_cleanup(authctxt);
1168}
1169#endif /* JPAKE */
1170
1171static int
1172identity_sign(Identity *id, u_char **sigp, u_int *lenp,
1173    u_char *data, u_int datalen)
1174{
1175	Key *prv;
1176	int ret;
1177
1178	/* the agent supports this key */
1179	if (id->ac)
1180		return (ssh_agent_sign(id->ac, id->key, sigp, lenp,
1181		    data, datalen));
1182	/*
1183	 * we have already loaded the private key or
1184	 * the private key is stored in external hardware
1185	 */
1186	if (id->isprivate || (id->key->flags & KEY_FLAG_EXT))
1187		return (key_sign(id->key, sigp, lenp, data, datalen));
1188	/* load the private key from the file */
1189	if ((prv = load_identity_file(id->filename)) == NULL)
1190		return (-1);
1191	ret = key_sign(prv, sigp, lenp, data, datalen);
1192	key_free(prv);
1193	return (ret);
1194}
1195
1196static int
1197sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
1198{
1199	Buffer b;
1200	u_char *blob, *signature;
1201	u_int bloblen, slen;
1202	u_int skip = 0;
1203	int ret = -1;
1204	int have_sig = 1;
1205	char *fp;
1206
1207	fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
1208	debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
1209	xfree(fp);
1210
1211	if (key_to_blob(id->key, &blob, &bloblen) == 0) {
1212		/* we cannot handle this key */
1213		debug3("sign_and_send_pubkey: cannot handle key");
1214		return 0;
1215	}
1216	/* data to be signed */
1217	buffer_init(&b);
1218	if (datafellows & SSH_OLD_SESSIONID) {
1219		buffer_append(&b, session_id2, session_id2_len);
1220		skip = session_id2_len;
1221	} else {
1222		buffer_put_string(&b, session_id2, session_id2_len);
1223		skip = buffer_len(&b);
1224	}
1225	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
1226	buffer_put_cstring(&b, authctxt->server_user);
1227	buffer_put_cstring(&b,
1228	    datafellows & SSH_BUG_PKSERVICE ?
1229	    "ssh-userauth" :
1230	    authctxt->service);
1231	if (datafellows & SSH_BUG_PKAUTH) {
1232		buffer_put_char(&b, have_sig);
1233	} else {
1234		buffer_put_cstring(&b, authctxt->method->name);
1235		buffer_put_char(&b, have_sig);
1236		buffer_put_cstring(&b, key_ssh_name(id->key));
1237	}
1238	buffer_put_string(&b, blob, bloblen);
1239
1240	/* generate signature */
1241	ret = identity_sign(id, &signature, &slen,
1242	    buffer_ptr(&b), buffer_len(&b));
1243	if (ret == -1) {
1244		xfree(blob);
1245		buffer_free(&b);
1246		return 0;
1247	}
1248#ifdef DEBUG_PK
1249	buffer_dump(&b);
1250#endif
1251	if (datafellows & SSH_BUG_PKSERVICE) {
1252		buffer_clear(&b);
1253		buffer_append(&b, session_id2, session_id2_len);
1254		skip = session_id2_len;
1255		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
1256		buffer_put_cstring(&b, authctxt->server_user);
1257		buffer_put_cstring(&b, authctxt->service);
1258		buffer_put_cstring(&b, authctxt->method->name);
1259		buffer_put_char(&b, have_sig);
1260		if (!(datafellows & SSH_BUG_PKAUTH))
1261			buffer_put_cstring(&b, key_ssh_name(id->key));
1262		buffer_put_string(&b, blob, bloblen);
1263	}
1264	xfree(blob);
1265
1266	/* append signature */
1267	buffer_put_string(&b, signature, slen);
1268	xfree(signature);
1269
1270	/* skip session id and packet type */
1271	if (buffer_len(&b) < skip + 1)
1272		fatal("userauth_pubkey: internal error");
1273	buffer_consume(&b, skip + 1);
1274
1275	/* put remaining data from buffer into packet */
1276	packet_start(SSH2_MSG_USERAUTH_REQUEST);
1277	packet_put_raw(buffer_ptr(&b), buffer_len(&b));
1278	buffer_free(&b);
1279	packet_send();
1280
1281	return 1;
1282}
1283
1284static int
1285send_pubkey_test(Authctxt *authctxt, Identity *id)
1286{
1287	u_char *blob;
1288	u_int bloblen, have_sig = 0;
1289
1290	debug3("send_pubkey_test");
1291
1292	if (key_to_blob(id->key, &blob, &bloblen) == 0) {
1293		/* we cannot handle this key */
1294		debug3("send_pubkey_test: cannot handle key");
1295		return 0;
1296	}
1297	/* register callback for USERAUTH_PK_OK message */
1298	dispatch_set(SSH2_MSG_USERAUTH_PK_OK, &input_userauth_pk_ok);
1299
1300	packet_start(SSH2_MSG_USERAUTH_REQUEST);
1301	packet_put_cstring(authctxt->server_user);
1302	packet_put_cstring(authctxt->service);
1303	packet_put_cstring(authctxt->method->name);
1304	packet_put_char(have_sig);
1305	if (!(datafellows & SSH_BUG_PKAUTH))
1306		packet_put_cstring(key_ssh_name(id->key));
1307	packet_put_string(blob, bloblen);
1308	xfree(blob);
1309	packet_send();
1310	return 1;
1311}
1312
1313static Key *
1314load_identity_file(char *filename)
1315{
1316	Key *private;
1317	char prompt[300], *passphrase;
1318	int perm_ok = 0, quit, i;
1319	struct stat st;
1320
1321	if (stat(filename, &st) < 0) {
1322		debug3("no such identity: %s", filename);
1323		return NULL;
1324	}
1325	private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok);
1326	if (!perm_ok)
1327		return NULL;
1328	if (private == NULL) {
1329		if (options.batch_mode)
1330			return NULL;
1331		snprintf(prompt, sizeof prompt,
1332		    "Enter passphrase for key '%.100s': ", filename);
1333		for (i = 0; i < options.number_of_password_prompts; i++) {
1334			passphrase = read_passphrase(prompt, 0);
1335			if (strcmp(passphrase, "") != 0) {
1336				private = key_load_private_type(KEY_UNSPEC,
1337				    filename, passphrase, NULL, NULL);
1338				quit = 0;
1339			} else {
1340				debug2("no passphrase given, try next key");
1341				quit = 1;
1342			}
1343			memset(passphrase, 0, strlen(passphrase));
1344			xfree(passphrase);
1345			if (private != NULL || quit)
1346				break;
1347			debug2("bad passphrase given, try again...");
1348		}
1349	}
1350	return private;
1351}
1352
1353/*
1354 * try keys in the following order:
1355 *	1. agent keys that are found in the config file
1356 *	2. other agent keys
1357 *	3. keys that are only listed in the config file
1358 */
1359static void
1360pubkey_prepare(Authctxt *authctxt)
1361{
1362	Identity *id;
1363	Idlist agent, files, *preferred;
1364	Key *key;
1365	AuthenticationConnection *ac;
1366	char *comment;
1367	int i, found;
1368
1369	TAILQ_INIT(&agent);	/* keys from the agent */
1370	TAILQ_INIT(&files);	/* keys from the config file */
1371	preferred = &authctxt->keys;
1372	TAILQ_INIT(preferred);	/* preferred order of keys */
1373
1374	/* list of keys stored in the filesystem */
1375	for (i = 0; i < options.num_identity_files; i++) {
1376		key = options.identity_keys[i];
1377		if (key && key->type == KEY_RSA1)
1378			continue;
1379		if (key && key->cert && key->cert->type != SSH2_CERT_TYPE_USER)
1380			continue;
1381		options.identity_keys[i] = NULL;
1382		id = xcalloc(1, sizeof(*id));
1383		id->key = key;
1384		id->filename = xstrdup(options.identity_files[i]);
1385		TAILQ_INSERT_TAIL(&files, id, next);
1386	}
1387	/* list of keys supported by the agent */
1388	if ((ac = ssh_get_authentication_connection())) {
1389		for (key = ssh_get_first_identity(ac, &comment, 2);
1390		    key != NULL;
1391		    key = ssh_get_next_identity(ac, &comment, 2)) {
1392			found = 0;
1393			TAILQ_FOREACH(id, &files, next) {
1394				/* agent keys from the config file are preferred */
1395				if (key_equal(key, id->key)) {
1396					key_free(key);
1397					xfree(comment);
1398					TAILQ_REMOVE(&files, id, next);
1399					TAILQ_INSERT_TAIL(preferred, id, next);
1400					id->ac = ac;
1401					found = 1;
1402					break;
1403				}
1404			}
1405			if (!found && !options.identities_only) {
1406				id = xcalloc(1, sizeof(*id));
1407				id->key = key;
1408				id->filename = comment;
1409				id->ac = ac;
1410				TAILQ_INSERT_TAIL(&agent, id, next);
1411			}
1412		}
1413		/* append remaining agent keys */
1414		for (id = TAILQ_FIRST(&agent); id; id = TAILQ_FIRST(&agent)) {
1415			TAILQ_REMOVE(&agent, id, next);
1416			TAILQ_INSERT_TAIL(preferred, id, next);
1417		}
1418		authctxt->agent = ac;
1419	}
1420	/* append remaining keys from the config file */
1421	for (id = TAILQ_FIRST(&files); id; id = TAILQ_FIRST(&files)) {
1422		TAILQ_REMOVE(&files, id, next);
1423		TAILQ_INSERT_TAIL(preferred, id, next);
1424	}
1425	TAILQ_FOREACH(id, preferred, next) {
1426		debug2("key: %s (%p)", id->filename, id->key);
1427	}
1428}
1429
1430static void
1431pubkey_cleanup(Authctxt *authctxt)
1432{
1433	Identity *id;
1434
1435	if (authctxt->agent != NULL)
1436		ssh_close_authentication_connection(authctxt->agent);
1437	for (id = TAILQ_FIRST(&authctxt->keys); id;
1438	    id = TAILQ_FIRST(&authctxt->keys)) {
1439		TAILQ_REMOVE(&authctxt->keys, id, next);
1440		if (id->key)
1441			key_free(id->key);
1442		if (id->filename)
1443			xfree(id->filename);
1444		xfree(id);
1445	}
1446}
1447
1448int
1449userauth_pubkey(Authctxt *authctxt)
1450{
1451	Identity *id;
1452	int sent = 0;
1453
1454	while ((id = TAILQ_FIRST(&authctxt->keys))) {
1455		if (id->tried++)
1456			return (0);
1457		/* move key to the end of the queue */
1458		TAILQ_REMOVE(&authctxt->keys, id, next);
1459		TAILQ_INSERT_TAIL(&authctxt->keys, id, next);
1460		/*
1461		 * send a test message if we have the public key. for
1462		 * encrypted keys we cannot do this and have to load the
1463		 * private key instead
1464		 */
1465		if (id->key && id->key->type != KEY_RSA1) {
1466			debug("Offering %s public key: %s", key_type(id->key),
1467			    id->filename);
1468			sent = send_pubkey_test(authctxt, id);
1469		} else if (id->key == NULL) {
1470			debug("Trying private key: %s", id->filename);
1471			id->key = load_identity_file(id->filename);
1472			if (id->key != NULL) {
1473				id->isprivate = 1;
1474				sent = sign_and_send_pubkey(authctxt, id);
1475				key_free(id->key);
1476				id->key = NULL;
1477			}
1478		}
1479		if (sent)
1480			return (sent);
1481	}
1482	return (0);
1483}
1484
1485/*
1486 * Send userauth request message specifying keyboard-interactive method.
1487 */
1488int
1489userauth_kbdint(Authctxt *authctxt)
1490{
1491	static int attempt = 0;
1492
1493	if (attempt++ >= options.number_of_password_prompts)
1494		return 0;
1495	/* disable if no SSH2_MSG_USERAUTH_INFO_REQUEST has been seen */
1496	if (attempt > 1 && !authctxt->info_req_seen) {
1497		debug3("userauth_kbdint: disable: no info_req_seen");
1498		dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, NULL);
1499		return 0;
1500	}
1501
1502	debug2("userauth_kbdint");
1503	packet_start(SSH2_MSG_USERAUTH_REQUEST);
1504	packet_put_cstring(authctxt->server_user);
1505	packet_put_cstring(authctxt->service);
1506	packet_put_cstring(authctxt->method->name);
1507	packet_put_cstring("");					/* lang */
1508	packet_put_cstring(options.kbd_interactive_devices ?
1509	    options.kbd_interactive_devices : "");
1510	packet_send();
1511
1512	dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, &input_userauth_info_req);
1513	return 1;
1514}
1515
1516/*
1517 * parse INFO_REQUEST, prompt user and send INFO_RESPONSE
1518 */
1519void
1520input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
1521{
1522	Authctxt *authctxt = ctxt;
1523	char *name, *inst, *lang, *prompt, *response;
1524	u_int num_prompts, i;
1525	int echo = 0;
1526
1527	debug2("input_userauth_info_req");
1528
1529	if (authctxt == NULL)
1530		fatal("input_userauth_info_req: no authentication context");
1531
1532	authctxt->info_req_seen = 1;
1533
1534	name = packet_get_string(NULL);
1535	inst = packet_get_string(NULL);
1536	lang = packet_get_string(NULL);
1537	if (strlen(name) > 0)
1538		logit("%s", name);
1539	if (strlen(inst) > 0)
1540		logit("%s", inst);
1541	xfree(name);
1542	xfree(inst);
1543	xfree(lang);
1544
1545	num_prompts = packet_get_int();
1546	/*
1547	 * Begin to build info response packet based on prompts requested.
1548	 * We commit to providing the correct number of responses, so if
1549	 * further on we run into a problem that prevents this, we have to
1550	 * be sure and clean this up and send a correct error response.
1551	 */
1552	packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);
1553	packet_put_int(num_prompts);
1554
1555	debug2("input_userauth_info_req: num_prompts %d", num_prompts);
1556	for (i = 0; i < num_prompts; i++) {
1557		prompt = packet_get_string(NULL);
1558		echo = packet_get_char();
1559
1560		response = read_passphrase(prompt, echo ? RP_ECHO : 0);
1561
1562		packet_put_cstring(response);
1563		memset(response, 0, strlen(response));
1564		xfree(response);
1565		xfree(prompt);
1566	}
1567	packet_check_eom(); /* done with parsing incoming message. */
1568
1569	packet_add_padding(64);
1570	packet_send();
1571}
1572
1573static int
1574ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
1575    u_char *data, u_int datalen)
1576{
1577	Buffer b;
1578	struct stat st;
1579	pid_t pid;
1580	int to[2], from[2], status, version = 2;
1581
1582	debug2("ssh_keysign called");
1583
1584	if (stat(_PATH_SSH_KEY_SIGN, &st) < 0) {
1585		error("ssh_keysign: not installed: %s", strerror(errno));
1586		return -1;
1587	}
1588	if (fflush(stdout) != 0)
1589		error("ssh_keysign: fflush: %s", strerror(errno));
1590	if (pipe(to) < 0) {
1591		error("ssh_keysign: pipe: %s", strerror(errno));
1592		return -1;
1593	}
1594	if (pipe(from) < 0) {
1595		error("ssh_keysign: pipe: %s", strerror(errno));
1596		return -1;
1597	}
1598	if ((pid = fork()) < 0) {
1599		error("ssh_keysign: fork: %s", strerror(errno));
1600		return -1;
1601	}
1602	if (pid == 0) {
1603		/* keep the socket on exec */
1604		fcntl(packet_get_connection_in(), F_SETFD, 0);
1605		permanently_drop_suid(getuid());
1606		close(from[0]);
1607		if (dup2(from[1], STDOUT_FILENO) < 0)
1608			fatal("ssh_keysign: dup2: %s", strerror(errno));
1609		close(to[1]);
1610		if (dup2(to[0], STDIN_FILENO) < 0)
1611			fatal("ssh_keysign: dup2: %s", strerror(errno));
1612		close(from[1]);
1613		close(to[0]);
1614		execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *) 0);
1615		fatal("ssh_keysign: exec(%s): %s", _PATH_SSH_KEY_SIGN,
1616		    strerror(errno));
1617	}
1618	close(from[1]);
1619	close(to[0]);
1620
1621	buffer_init(&b);
1622	buffer_put_int(&b, packet_get_connection_in()); /* send # of socket */
1623	buffer_put_string(&b, data, datalen);
1624	if (ssh_msg_send(to[1], version, &b) == -1)
1625		fatal("ssh_keysign: couldn't send request");
1626
1627	if (ssh_msg_recv(from[0], &b) < 0) {
1628		error("ssh_keysign: no reply");
1629		buffer_free(&b);
1630		return -1;
1631	}
1632	close(from[0]);
1633	close(to[1]);
1634
1635	while (waitpid(pid, &status, 0) < 0)
1636		if (errno != EINTR)
1637			break;
1638
1639	if (buffer_get_char(&b) != version) {
1640		error("ssh_keysign: bad version");
1641		buffer_free(&b);
1642		return -1;
1643	}
1644	*sigp = buffer_get_string(&b, lenp);
1645	buffer_free(&b);
1646
1647	return 0;
1648}
1649
1650int
1651userauth_hostbased(Authctxt *authctxt)
1652{
1653	Key *private = NULL;
1654	Sensitive *sensitive = authctxt->sensitive;
1655	Buffer b;
1656	u_char *signature, *blob;
1657	char *chost, *pkalg, *p;
1658	const char *service;
1659	u_int blen, slen;
1660	int ok, i, found = 0;
1661
1662	/* check for a useful key */
1663	for (i = 0; i < sensitive->nkeys; i++) {
1664		private = sensitive->keys[i];
1665		if (private && private->type != KEY_RSA1) {
1666			found = 1;
1667			/* we take and free the key */
1668			sensitive->keys[i] = NULL;
1669			break;
1670		}
1671	}
1672	if (!found) {
1673		debug("No more client hostkeys for hostbased authentication.");
1674		return 0;
1675	}
1676	if (key_to_blob(private, &blob, &blen) == 0) {
1677		key_free(private);
1678		return 0;
1679	}
1680	/* figure out a name for the client host */
1681	p = get_local_name(packet_get_connection_in());
1682	if (p == NULL) {
1683		error("userauth_hostbased: cannot get local ipaddr/name");
1684		key_free(private);
1685		xfree(blob);
1686		return 0;
1687	}
1688	xasprintf(&chost, "%s.", p);
1689	debug2("userauth_hostbased: chost %s", chost);
1690	xfree(p);
1691
1692	service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
1693	    authctxt->service;
1694	pkalg = xstrdup(key_ssh_name(private));
1695	buffer_init(&b);
1696	/* construct data */
1697	buffer_put_string(&b, session_id2, session_id2_len);
1698	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
1699	buffer_put_cstring(&b, authctxt->server_user);
1700	buffer_put_cstring(&b, service);
1701	buffer_put_cstring(&b, authctxt->method->name);
1702	buffer_put_cstring(&b, pkalg);
1703	buffer_put_string(&b, blob, blen);
1704	buffer_put_cstring(&b, chost);
1705	buffer_put_cstring(&b, authctxt->local_user);
1706#ifdef DEBUG_PK
1707	buffer_dump(&b);
1708#endif
1709	if (sensitive->external_keysign)
1710		ok = ssh_keysign(private, &signature, &slen,
1711		    buffer_ptr(&b), buffer_len(&b));
1712	else
1713		ok = key_sign(private, &signature, &slen,
1714		    buffer_ptr(&b), buffer_len(&b));
1715	key_free(private);
1716	buffer_free(&b);
1717	if (ok != 0) {
1718		error("key_sign failed");
1719		xfree(chost);
1720		xfree(pkalg);
1721		xfree(blob);
1722		return 0;
1723	}
1724	packet_start(SSH2_MSG_USERAUTH_REQUEST);
1725	packet_put_cstring(authctxt->server_user);
1726	packet_put_cstring(authctxt->service);
1727	packet_put_cstring(authctxt->method->name);
1728	packet_put_cstring(pkalg);
1729	packet_put_string(blob, blen);
1730	packet_put_cstring(chost);
1731	packet_put_cstring(authctxt->local_user);
1732	packet_put_string(signature, slen);
1733	memset(signature, 's', slen);
1734	xfree(signature);
1735	xfree(chost);
1736	xfree(pkalg);
1737	xfree(blob);
1738
1739	packet_send();
1740	return 1;
1741}
1742
1743#ifdef JPAKE
1744int
1745userauth_jpake(Authctxt *authctxt)
1746{
1747	struct jpake_ctx *pctx;
1748	u_char *x1_proof, *x2_proof;
1749	u_int x1_proof_len, x2_proof_len;
1750	static int attempt = 0; /* XXX share with userauth_password's? */
1751
1752	if (attempt++ >= options.number_of_password_prompts)
1753		return 0;
1754	if (attempt != 1)
1755		error("Permission denied, please try again.");
1756
1757	if (authctxt->methoddata != NULL)
1758		fatal("%s: authctxt->methoddata already set (%p)",
1759		    __func__, authctxt->methoddata);
1760
1761	authctxt->methoddata = pctx = jpake_new();
1762
1763	/*
1764	 * Send request immediately, to get the protocol going while
1765	 * we do the initial computations.
1766	 */
1767	packet_start(SSH2_MSG_USERAUTH_REQUEST);
1768	packet_put_cstring(authctxt->server_user);
1769	packet_put_cstring(authctxt->service);
1770	packet_put_cstring(authctxt->method->name);
1771	packet_send();
1772	packet_write_wait();
1773
1774	jpake_step1(pctx->grp,
1775	    &pctx->client_id, &pctx->client_id_len,
1776	    &pctx->x1, &pctx->x2, &pctx->g_x1, &pctx->g_x2,
1777	    &x1_proof, &x1_proof_len,
1778	    &x2_proof, &x2_proof_len);
1779
1780	JPAKE_DEBUG_CTX((pctx, "step 1 sending in %s", __func__));
1781
1782	packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1);
1783	packet_put_string(pctx->client_id, pctx->client_id_len);
1784	packet_put_bignum2(pctx->g_x1);
1785	packet_put_bignum2(pctx->g_x2);
1786	packet_put_string(x1_proof, x1_proof_len);
1787	packet_put_string(x2_proof, x2_proof_len);
1788	packet_send();
1789
1790	bzero(x1_proof, x1_proof_len);
1791	bzero(x2_proof, x2_proof_len);
1792	xfree(x1_proof);
1793	xfree(x2_proof);
1794
1795	/* Expect step 1 packet from peer */
1796	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1,
1797	    input_userauth_jpake_server_step1);
1798	dispatch_set(SSH2_MSG_USERAUTH_SUCCESS,
1799	    &input_userauth_success_unexpected);
1800
1801	return 1;
1802}
1803
1804void
1805userauth_jpake_cleanup(Authctxt *authctxt)
1806{
1807	debug3("%s: clean up", __func__);
1808	if (authctxt->methoddata != NULL) {
1809		jpake_free(authctxt->methoddata);
1810		authctxt->methoddata = NULL;
1811	}
1812	dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
1813}
1814#endif /* JPAKE */
1815
1816/* find auth method */
1817
1818/*
1819 * given auth method name, if configurable options permit this method fill
1820 * in auth_ident field and return true, otherwise return false.
1821 */
1822static int
1823authmethod_is_enabled(Authmethod *method)
1824{
1825	if (method == NULL)
1826		return 0;
1827	/* return false if options indicate this method is disabled */
1828	if  (method->enabled == NULL || *method->enabled == 0)
1829		return 0;
1830	/* return false if batch mode is enabled but method needs interactive mode */
1831	if  (method->batch_flag != NULL && *method->batch_flag != 0)
1832		return 0;
1833	return 1;
1834}
1835
1836static Authmethod *
1837authmethod_lookup(const char *name)
1838{
1839	Authmethod *method = NULL;
1840	if (name != NULL)
1841		for (method = authmethods; method->name != NULL; method++)
1842			if (strcmp(name, method->name) == 0)
1843				return method;
1844	debug2("Unrecognized authentication method name: %s", name ? name : "NULL");
1845	return NULL;
1846}
1847
1848/* XXX internal state */
1849static Authmethod *current = NULL;
1850static char *supported = NULL;
1851static char *preferred = NULL;
1852
1853/*
1854 * Given the authentication method list sent by the server, return the
1855 * next method we should try.  If the server initially sends a nil list,
1856 * use a built-in default list.
1857 */
1858static Authmethod *
1859authmethod_get(char *authlist)
1860{
1861	char *name = NULL;
1862	u_int next;
1863
1864	/* Use a suitable default if we're passed a nil list.  */
1865	if (authlist == NULL || strlen(authlist) == 0)
1866		authlist = options.preferred_authentications;
1867
1868	if (supported == NULL || strcmp(authlist, supported) != 0) {
1869		debug3("start over, passed a different list %s", authlist);
1870		if (supported != NULL)
1871			xfree(supported);
1872		supported = xstrdup(authlist);
1873		preferred = options.preferred_authentications;
1874		debug3("preferred %s", preferred);
1875		current = NULL;
1876	} else if (current != NULL && authmethod_is_enabled(current))
1877		return current;
1878
1879	for (;;) {
1880		if ((name = match_list(preferred, supported, &next)) == NULL) {
1881			debug("No more authentication methods to try.");
1882			current = NULL;
1883			return NULL;
1884		}
1885		preferred += next;
1886		debug3("authmethod_lookup %s", name);
1887		debug3("remaining preferred: %s", preferred);
1888		if ((current = authmethod_lookup(name)) != NULL &&
1889		    authmethod_is_enabled(current)) {
1890			debug3("authmethod_is_enabled %s", name);
1891			debug("Next authentication method: %s", name);
1892			xfree(name);
1893			return current;
1894		}
1895	}
1896	if (name != NULL)
1897		xfree(name);
1898}
1899
1900static char *
1901authmethods_get(void)
1902{
1903	Authmethod *method = NULL;
1904	Buffer b;
1905	char *list;
1906
1907	buffer_init(&b);
1908	for (method = authmethods; method->name != NULL; method++) {
1909		if (authmethod_is_enabled(method)) {
1910			if (buffer_len(&b) > 0)
1911				buffer_append(&b, ",", 1);
1912			buffer_append(&b, method->name, strlen(method->name));
1913		}
1914	}
1915	buffer_append(&b, "\0", 1);
1916	list = xstrdup(buffer_ptr(&b));
1917	buffer_free(&b);
1918	return list;
1919}
1920
1921